CVE-2014-3487 — Improper Input Validation in Project File

CWE-20 — Improper Input Validation15 documents10 sources

Severity

4.3MEDIUMNVD

OSV6.5OSV5.0

EPSS

19.4%

top 4.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

File Project File PHP Php5 +3 more

Timeline

PublishedJul 9

Latest updateMay 17

Description

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages7 packages

▶NVDfile_project/file< 5.19

▶Debianfile_project/file< 1:5.19-1+3

▶Ubuntufile_project/file< 1:5.14-2ubuntu3.1

▶NVDphp/php5.4.0 — 5.4.30+2

▶Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.3

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: bugs.php.net ↗Patch: github.com ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-99xh-vjw8-p886: The cdf_read_property_info function in file before 5↗2022-05-17

▶

OSV

file vulnerabilities↗2014-07-15

▶

CVEList

CVE-2014-3487: The cdf_read_property_info function in file before 5↗2014-07-09

▶

OSV

php5 vulnerabilities↗2014-07-09

▶

OSV

CVE-2014-3487: The cdf_read_property_info function in file before 5↗2014-07-09

▶

📋Vendor Advisories

Ubuntu

file vulnerabilities↗2014-07-15

▶

Ubuntu

PHP vulnerabilities↗2014-07-09

▶

Red Hat

file: cdf_read_property_info insufficient boundary check↗2014-06-27

▶

Debian

CVE-2014-3487: file - The cdf_read_property_info function in file before 5.19, as used in the Fileinfo...↗2014

▶

Apple

CVE-2014-3487: OS X Yosemite v10.10.3 and Security Update 2015-004↗

▶

🕵️Threat Intelligence

Tenable

[R6] SecurityCenter Affected by Multiple Third-party Library Vulnerabilities↗2014-07-16

▶

💬Community

Bugzilla

CVE-2014-3487 php: file: cdf_read_property_info insufficient boundary check [fedora-all]↗2014-06-30

▶

Bugzilla

CVE-2014-3487 file: cdf_read_property_info insufficient boundary check [fedora-all]↗2014-06-30

▶

Bugzilla

CVE-2014-3487 file: cdf_read_property_info insufficient boundary check↗2014-06-10

▶